Emma Woollacott, 15th January 2013

The victims include government and diplomatic offices around the world, particularly in Eastern Europe and Central Asia. The malware appears to have been engineered to steal data encrpted with Acid Cryptofiler, a classified software used by NATO and several EU countries.

"Currently, there is no evidence linking this with a nation-state sponsored attack," says Kaspersky. "The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere."

Most infected machines were found in Russia, although six were in the US. The attackers appear to be Russian-speaking, with a number of Russian words found embedded in the code.

"The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment," says the team.

The attackers used malware they'd designed themselves, Rocra, which Kaspersky says has a unique modular architecture comprised of malicious extensions, data-stealing modules and backdoor Trojans.

A unique module, embedded as a plug-in inside Adobe Reader and Microsoft Office installations, allows the attackers to regain access to a target system if the main malware body is discovered and removed, or if the system is patched. Once the command and control servers are operational again, the attackers send a PDF or Office document to victims’ machines via email, activating the malware once again.

"To infect systems the attackers sent a targeted spear-phishing email to a victim that included a customized Trojan dropper. In order to install the malware and infect the system the malicious email included exploits that were rigged for security vulnerabilities inside Microsoft Office and Microsoft Excel," says Kaspersky.

"The exploits from the documents used in the spear-phishing emails were created by other attackers and employed during different cyber attacks including Tibetan activists as well as military and energy sector targets in Asia."

Kaspersky says it's now working with law enforcement agencies and Computer Emergency Response Teams (CERTs) on mitigation measures. There's more information here.